Site-To-Site
This scenario shows how to configure and connect two subnets
with each other through a VPN tunnel and automatically configure
the negotiated remote prefixes as routes. DUT0 acts as a
responder and DUT1 as a initiator.
Test Site-To-Site With Basic Route Installation
Description
In this scenario, both devices install routes
for the VPN traffic in the main table.
Scenario
Step 1: Run the command protocols ip show route on DUT0 and check whether the output does not contain the following tokens:
K>* 10.3.0.0/24
Step 2: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf main set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1+zuqM2XE5oRsixTxMIdjYkdbr8qf7seOg= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 3: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 next-hop 80.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf main set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX196iKOpA/YstIYlLF7t8xNWrRnVrYLAmwU= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 4: Ping the IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.383 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.383/0.383/0.383/0.000 ms
Step 5: Ping the IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.222 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.222/0.222/0.222/0.000 ms
Step 6: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 62d3a7e4c02e787a_i 6398a7fab7b7647f_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 16029s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3554s, expires in 3960s in c3fbb541, 0 bytes, 0 packets out cde8e2b4, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 7: Run the command protocols ip show route on DUT0 and check whether the output contains the following tokens:
K>* 10.3.0.0/24Show output
Codes: K - kernel route, C - connected, L - local, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, f - OpenFabric, t - Table-Direct, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure IPv4 unicast VRF default: C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:05 L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:05 K>* 10.3.0.0/24 [0/0] via 80.0.0.2, eth0, weight 1, 00:00:00 C>* 80.0.0.0/24 is directly connected, eth0, weight 1, 00:00:05 L>* 80.0.0.1/32 is directly connected, eth0, weight 1, 00:00:05
Step 8: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 9: Run the command vpn ipsec initiate peer PEER on DUT1 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 10: Ping the IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.550 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.550/0.550/0.550/0.000 ms
Step 11: Initiate a tcp connection from DUT1 to DUT0 and exchange messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 10.1.0.1 8080 tcp local-address 10.3.0.1
Step 12: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, 80a7fb9066e99d0c_i f412238ff3fec69d_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 3s ago, rekeying in 15474s peer-PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 3s ago, rekeying in 3493s, expires in 3957s in c616aca5, 712 bytes, 11 packets, 1s ago out cc0aee58, 660 bytes, 10 packets, 1s ago local 10.1.0.0/24 remote 10.3.0.0/24
Test Site-To-Site With VRF Route Installation
Description
In this scenario, DUT0 install reoutes
in a separate VRF called LAN.
Scenario
Step 1: Run the command protocols vrf LAN ip show route on DUT0 and check whether the output does not contain the following tokens:
K>* 10.3.0.0/24Show output
% VRF LAN not found
Step 2: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces dummy dum0 vrf LAN set interfaces ethernet eth0 address 80.0.0.1/24 set interfaces ethernet eth0 vrf WAN set protocols vrf WAN static route 10.1.0.0/24 next-hop-vrf LAN set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf LAN set system vrf WAN set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1+3zREix/GFiw9UfoDRKk5GXOZH42g3YQM= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 install-routes LAN set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24
Step 3: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 next-hop 80.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf main set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX1+vdsqgUKk1/DT+4AXxjUV70hSThptUfQc= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 4: Ping the IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.330 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.330/0.330/0.330/0.000 ms
Step 5: Ping the IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 vrf WAN count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: WAN PING 80.0.0.2 (80.0.0.2) from 80.0.0.1 WAN: 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.329 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.329/0.329/0.329/0.000 ms
Step 6: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 247bfbcc7b131995_i 42041f7dd1c6436c_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 19462s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3272s, expires in 3960s in c05dd153, 0 bytes, 0 packets out cf542b1a, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 7: Run the command protocols vrf LAN ip show route on DUT0 and check whether the output contains the following tokens:
K>* 10.3.0.0/24Show output
Codes: K - kernel route, C - connected, L - local, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, f - OpenFabric, t - Table-Direct, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure IPv4 unicast VRF LAN: K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), weight 1, 00:00:05 C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:05 L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:05 K>* 10.3.0.0/24 [0/0] via 80.0.0.2, eth0 (vrf WAN), weight 1, 00:00:00 K>* 127.0.0.0/8 [0/0] is directly connected, LAN, weight 1, 00:00:05
Step 8: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 9: Run the command vpn ipsec initiate peer PEER on DUT1 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 10: Ping the IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.549 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.549/0.549/0.549/0.000 ms
Step 11: Initiate a tcp connection from DUT1 to DUT0 and exchange messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp vrf LAN admin@DUT1$ monitor test connection client 10.1.0.1 8080 tcp local-address 10.3.0.1
Step 12: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER: #2, ESTABLISHED, IKEv2, cef370eba23e213b_i 27a503533f5f5f84_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 3s ago, rekeying in 24460s peer-PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 3s ago, rekeying in 3277s, expires in 3957s in c28f0b55, 712 bytes, 11 packets, 0s ago out c9f0a851, 660 bytes, 10 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24
Test Site-To-Site With Route Installation And Metrics
Description
In this scenario, DUT0 installs routes with
differents metrics for both IPsec peers. The point is
to check if the routes are installed correctly and most
importantly, whenever the prioritized route is down, the
backup route is used.
Scenario
Step 1: Run the command protocols ip show route on DUT0 and check whether the output does not contain the following tokens:
K>* 10.3.0.0/24
Step 2: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 10.1.0.1/24 set interfaces ethernet eth0 address 80.0.0.1/24 set interfaces ethernet eth1 address 90.0.0.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf main set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX18l0jSN/KlytxAAOD9PBXJ9fXiabKmKJO8= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec logging log-types any log-level 2 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.1 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 route-priority 10 set vpn ipsec site-to-site peer PEER1 auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER1 connection-type respond set vpn ipsec site-to-site peer PEER1 default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER1 ike-group IKE-SA set vpn ipsec site-to-site peer PEER1 local-address 90.0.0.1 set vpn ipsec site-to-site peer PEER1 remote-address 90.0.0.3 set vpn ipsec site-to-site peer PEER1 tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER1 tunnel 1 local prefix 10.1.0.0/24 set vpn ipsec site-to-site peer PEER1 tunnel 1 remote prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER1 tunnel 1 route-priority 100
Step 3: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth0 address 80.0.0.2/24 set protocols static route 0.0.0.0/0 next-hop 80.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf main set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX184PVir4P2Qn9eQXaIPCA+CHc5jx5E5Ic8= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 80.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 80.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 install-routes main set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 4: Set the following configuration in DUT2 :
set interfaces dummy dum0 address 10.3.0.1/24 set interfaces ethernet eth1 address 90.0.0.3/24 set protocols static route 0.0.0.0/0 next-hop 90.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk %any encrypted-secret U2FsdGVkX19FEyubgz4Fo2pRwJC5Kmz01mR1oNlYKMQ= set vpn ipsec auth-profile AUTH-SA local auth ike-psk id %any set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id %any set vpn ipsec esp-group CHILD-SA mode tunnel set vpn ipsec esp-group CHILD-SA proposal 1 encryption aes256gcm128 set vpn ipsec esp-group CHILD-SA proposal 1 pfs dh-group19 set vpn ipsec ike-group IKE-SA key-exchange ikev2 set vpn ipsec ike-group IKE-SA proposal 1 dh-group 19 set vpn ipsec ike-group IKE-SA proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE-SA proposal 1 hash sha256 set vpn ipsec site-to-site peer PEER auth-profile AUTH-SA set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER default-esp-group CHILD-SA set vpn ipsec site-to-site peer PEER ike-group IKE-SA set vpn ipsec site-to-site peer PEER local-address 90.0.0.3 set vpn ipsec site-to-site peer PEER remote-address 90.0.0.1 set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 10.3.0.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 10.1.0.0/24
Step 5: Ping the IP address 80.0.0.1 from DUT1:
admin@DUT1$ ping 80.0.0.1 count 1 size 56 timeout 1Show output
PING 80.0.0.1 (80.0.0.1) 56(84) bytes of data. 64 bytes from 80.0.0.1: icmp_seq=1 ttl=64 time=0.584 ms --- 80.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.584/0.584/0.584/0.000 ms
Step 6: Ping the IP address 80.0.0.2 from DUT0:
admin@DUT0$ ping 80.0.0.2 count 1 size 56 timeout 1Show output
PING 80.0.0.2 (80.0.0.2) 56(84) bytes of data. 64 bytes from 80.0.0.2: icmp_seq=1 ttl=64 time=0.283 ms --- 80.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.283/0.283/0.283/0.000 ms
Step 7: Ping the IP address 90.0.0.3 from DUT2:
admin@DUT2$ ping 90.0.0.3 count 1 size 56 timeout 1Show output
PING 90.0.0.3 (90.0.0.3) 56(84) bytes of data. 64 bytes from 90.0.0.3: icmp_seq=1 ttl=64 time=0.028 ms --- 90.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.028/0.028/0.028/0.000 ms
Step 8: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
peer-PEER-tunnel-\d+.+INSTALLEDShow output
vpn-peer-PEER1: #2, ESTABLISHED, IKEv2, 5e41c09e41ce09e8_i a10ef5edd2c759eb_r* local '90.0.0.1' @ 90.0.0.1[500] remote '90.0.0.3' @ 90.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 0s ago, rekeying in 21736s peer-PEER1-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 0s ago, rekeying in 3337s, expires in 3960s in cdf18188, 0 bytes, 0 packets out c3ec9150, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #1, ESTABLISHED, IKEv2, 3920d194e714514b_i 0711a88d93bf61fa_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 5s ago, rekeying in 20404s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 5s ago, rekeying in 3406s, expires in 3955s in c3b01385, 0 bytes, 0 packets out c3a79636, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24
Step 9: Run the command protocols ip show route on DUT0 and check whether the output contains the following tokens:
K>* 10.3.0.0/24Show output
Codes: K - kernel route, C - connected, L - local, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, f - OpenFabric, t - Table-Direct, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure IPv4 unicast VRF default: C>* 10.1.0.0/24 is directly connected, dum0, weight 1, 00:00:10 L>* 10.1.0.1/32 is directly connected, dum0, weight 1, 00:00:10 K * 10.3.0.0/24 [0/100] via 90.0.0.3, eth1, weight 1, 00:00:00 K>* 10.3.0.0/24 [0/10] via 80.0.0.2, eth0, weight 1, 00:00:05 C>* 80.0.0.0/24 is directly connected, eth0, weight 1, 00:00:09 L>* 80.0.0.1/32 is directly connected, eth0, weight 1, 00:00:09 C>* 90.0.0.0/24 is directly connected, eth1, weight 1, 00:00:09 L>* 90.0.0.1/32 is directly connected, eth1, weight 1, 00:00:09
Step 10: Run the command show system route ip on DUT0 and check whether the output contains the following tokens:
10.3.0.0/24 via 90.0.0.3 dev eth1 proto static metric 100 10.3.0.0/24 via 80.0.0.2 dev eth0 proto static metric 10Show output
10.1.0.0/24 dev dum0 proto kernel scope link src 10.1.0.1 10.3.0.0/24 via 80.0.0.2 dev eth0 proto static metric 10 10.3.0.0/24 via 90.0.0.3 dev eth1 proto static metric 100 80.0.0.0/24 dev eth0 proto kernel scope link src 80.0.0.1 90.0.0.0/24 dev eth1 proto kernel scope link src 90.0.0.1
Note
The tunnel with the lowest metric configured in the route-priority parameter should be the one used to route the traffic.
Step 11: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 12: Run the command vpn ipsec initiate peer PEER on DUT1 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 13: Ping the IP address 10.1.0.1 from DUT1:
admin@DUT1$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.607 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.607/0.607/0.607/0.000 ms
Step 14: Initiate a tcp connection from DUT1 to DUT0 and exchange messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 10.1.0.1 8080 tcp local-address 10.3.0.1
Step 15: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER1: #2, ESTABLISHED, IKEv2, 5e41c09e41ce09e8_i a10ef5edd2c759eb_r* local '90.0.0.1' @ 90.0.0.1[500] remote '90.0.0.3' @ 90.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 3s ago, rekeying in 21733s peer-PEER1-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 3s ago, rekeying in 3334s, expires in 3957s in cdf18188, 0 bytes, 0 packets out c3ec9150, 0 bytes, 0 packets local 10.1.0.0/24 remote 10.3.0.0/24 vpn-peer-PEER: #3, ESTABLISHED, IKEv2, 71c4135c6d49f021_i 34e1388c9d615f8a_r* local '80.0.0.1' @ 80.0.0.1[500] remote '80.0.0.2' @ 80.0.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 2s ago, rekeying in 22166s peer-PEER-tunnel-1: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 2s ago, rekeying in 3308s, expires in 3958s in c137ce02, 712 bytes, 11 packets, 0s ago out cb7b1a17, 660 bytes, 10 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24
Note
Now we will shutdown the tunnel with the lowest metric from DUT1 and check if the traffic is routed through the backup tunnel.
Step 16: Run the command vpn ipsec clear sa on DUT1 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 17: Run the command vpn ipsec clear sa on DUT2 and expect the following output:
Show output
Deleting IPSec SAs... 100.00% Closed tunnels: 1
Step 18: Run the command vpn ipsec initiate peer PEER on DUT2 and expect the following output:
Show output
Initiating IPSec SAs... 100.00% Initiated tunnels: 1
Step 19: Ping the IP address 10.1.0.1 from DUT2:
admin@DUT2$ ping 10.1.0.1 local-address 10.3.0.1 count 1 size 56 timeout 1Show output
PING 10.1.0.1 (10.1.0.1) from 10.3.0.1 : 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.306 ms --- 10.1.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.306/0.306/0.306/0.000 ms
Step 20: Initiate a tcp connection from DUT2 to DUT0 and exchange messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp admin@DUT2$ monitor test connection client 10.1.0.1 8080 tcp local-address 10.3.0.1
Step 21: Run the command vpn ipsec show sa on DUT0 and check whether the output matches the following regular expressions:
[1-9]\d? packetsShow output
vpn-peer-PEER1: #4, ESTABLISHED, IKEv2, 3c408d5a7a3c6a44_i 19356aa9294a8d1c_r* local '90.0.0.1' @ 90.0.0.1[500] remote '90.0.0.3' @ 90.0.0.3[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 2s ago, rekeying in 18228s peer-PEER1-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 2s ago, rekeying in 3371s, expires in 3958s in c8bcbc15, 712 bytes, 11 packets, 0s ago out cc94888b, 660 bytes, 10 packets, 0s ago local 10.1.0.0/24 remote 10.3.0.0/24
Step 22: Run the command show system route ip on DUT0 and check whether the output contains the following tokens:
10.3.0.0/24 via 90.0.0.3 dev eth1 proto static metric 100Show output
10.1.0.0/24 dev dum0 proto kernel scope link src 10.1.0.1 10.3.0.0/24 via 90.0.0.3 dev eth1 proto static metric 100 80.0.0.0/24 dev eth0 proto kernel scope link src 80.0.0.1 90.0.0.0/24 dev eth1 proto kernel scope link src 90.0.0.1
Step 23: Run the command show system route ip on DUT0 and check whether the output does not contain the following tokens:
10.3.0.0/24 via 80.0.0.2 dev eth0 proto static metric 10Show output
10.1.0.0/24 dev dum0 proto kernel scope link src 10.1.0.1 10.3.0.0/24 via 90.0.0.3 dev eth1 proto static metric 100 80.0.0.0/24 dev eth0 proto kernel scope link src 80.0.0.1 90.0.0.0/24 dev eth1 proto kernel scope link src 90.0.0.1